Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2016:0304 - Security Advisory
Issued:
2016-03-01
Updated:
2016-03-01

RHSA-2016:0304 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: openssl security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated openssl packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5.6 and 5.9 Long Life.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A padding oracle flaw was found in the Secure Sockets Layer version 2.0
(SSLv2) protocol. An attacker can potentially use this flaw to decrypt
RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol
version, allowing them to decrypt such connections. This cross-protocol
attack is publicly referred to as DROWN. (CVE-2016-0800)

Note: This issue was addressed by disabling the SSLv2 protocol by default
when using the 'SSLv23' connection methods, and removing support for weak
SSLv2 cipher suites. It is possible to re-enable the SSLv2 protocol in the
'SSLv23' connection methods by default by setting the OPENSSL_ENABLE_SSL2
environment variable before starting an application that needs to have
SSLv2 enabled. For more information, refer to the knowledge base article
linked to in the References section.

It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2
connection handshakes that indicated non-zero clear key length for
non-export cipher suites. An attacker could use this flaw to decrypt
recorded SSLv2 sessions with the server by using it as a decryption
oracle.(CVE-2016-0703)

It was discovered that the SSLv2 protocol implementation in OpenSSL did
not properly implement the Bleichenbacher protection for export cipher
suites. An attacker could use a SSLv2 server using OpenSSL as a
Bleichenbacher oracle. (CVE-2016-0704)

Note: The CVE-2016-0703 and CVE-2016-0704 issues could allow for more
efficient exploitation of the CVE-2016-0800 issue via the DROWN attack.

A denial of service flaw was found in the way OpenSSL handled SSLv2
handshake messages. A remote attacker could use this flaw to cause a
TLS/SSL server using OpenSSL to exit on a failed assertion if it had both
the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293)

A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2
ciphers that have been disabled on the server. This could result in weak
SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to
man-in-the-middle attacks. (CVE-2015-3197)

Red Hat would like to thank the OpenSSL project for reporting these issues.
Upstream acknowledges Nimrod Aviram and Sebastian Schinzel as the original
reporters of CVE-2016-0800 and CVE-2015-3197; David Adrian (University of
Michigan) and J. Alex Halderman (University of Michigan) as the original
reporters of CVE-2016-0703 and CVE-2016-0704; and Sean Burford (Google) and
Emilia Kasper (OpenSSL development team) as the original reporters of
CVE-2015-0293.

All openssl users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library must be restarted, or
the system rebooted.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - AUS 5.9 x86_64
  • Red Hat Enterprise Linux Server - AUS 5.9 ia64
  • Red Hat Enterprise Linux Server - AUS 5.9 i386
  • Red Hat Enterprise Linux Server - AUS 5.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 5.6 ia64
  • Red Hat Enterprise Linux Server - AUS 5.6 i386

Fixes

  • BZ - 1202404 - CVE-2015-0293 openssl: assertion failure in SSLv2 servers
  • BZ - 1301846 - CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
  • BZ - 1310593 - CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
  • BZ - 1310811 - CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2
  • BZ - 1310814 - CVE-2016-0704 openssl: SSLv2 Bleichenbacher protection overwrites wrong bytes for export ciphers

CVEs

  • CVE-2015-0293
  • CVE-2016-0703
  • CVE-2016-0704
  • CVE-2016-0800
  • CVE-2015-3197

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/articles/2176731
  • https://drownattack.com/
  • https://openssl.org/news/secadv/20160128.txt
  • https://openssl.org/news/secadv/20160301.txt
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - AUS 5.9

SRPM
openssl-0.9.8e-26.el5_9.5.src.rpm SHA-256: 607fca9a3dfbe32b86464978cc84985ad57aafb420158a40d8e28225f02197c6
x86_64
openssl-0.9.8e-26.el5_9.5.i686.rpm SHA-256: 67a0553ed691baa4bae2bbf88e6d002596f87b0a5971d556c0fb1f48c1798b2c
openssl-0.9.8e-26.el5_9.5.x86_64.rpm SHA-256: 3e3664d9400e85f34cc0fa8674172d53ffe5e8d2c255bae561f36a486a917d24
openssl-debuginfo-0.9.8e-26.el5_9.5.i386.rpm SHA-256: ae08b1bff3d35d5c05539e61e27850d9f926bfd62855727d200a3d36cfe7b7a9
openssl-debuginfo-0.9.8e-26.el5_9.5.i686.rpm SHA-256: 6d9615aa248649ecde8b877fd108683f99654eed3e7f125d751571c705ea25e5
openssl-debuginfo-0.9.8e-26.el5_9.5.x86_64.rpm SHA-256: c3b7fc4fde994d2d45a03d87e8418cb1b6a37fb36c3d055f0b37110264cc73f9
openssl-devel-0.9.8e-26.el5_9.5.i386.rpm SHA-256: 31ca7dde55851eee292a905c6012f6c40a235004c7bfd8fec5f6ef203e4590d3
openssl-devel-0.9.8e-26.el5_9.5.x86_64.rpm SHA-256: 7e024ff5a6052225e5bd187771f524c9e5840d768e8ec589565d14e1d4368144
openssl-perl-0.9.8e-26.el5_9.5.x86_64.rpm SHA-256: 37a27c276dbc19a903a2f52d647bd53557bff5c74bfeed3590731635066e2fae
ia64
openssl-0.9.8e-26.el5_9.5.i686.rpm SHA-256: 67a0553ed691baa4bae2bbf88e6d002596f87b0a5971d556c0fb1f48c1798b2c
openssl-0.9.8e-26.el5_9.5.ia64.rpm SHA-256: 8acb446dec794c2b8c44e140d23becf998ff811cb04ea4e51e63c21f90c77ac0
openssl-debuginfo-0.9.8e-26.el5_9.5.i686.rpm SHA-256: 6d9615aa248649ecde8b877fd108683f99654eed3e7f125d751571c705ea25e5
openssl-debuginfo-0.9.8e-26.el5_9.5.ia64.rpm SHA-256: 0e3aec83b9c3748c24e977072b7ad4c8f77d4b2103d0be0389e8b6f1e82a1be7
openssl-devel-0.9.8e-26.el5_9.5.ia64.rpm SHA-256: 5ddc3ff2897ef5d60aae5d1e0189ed4a28783d5acb2f3c8f30920ca7e093d999
openssl-perl-0.9.8e-26.el5_9.5.ia64.rpm SHA-256: 680cb7ff6fcffa718f22c8a1ca0b63593215ef57e7f2955adf3e45d0afb53fec
i386
openssl-0.9.8e-26.el5_9.5.i386.rpm SHA-256: 906ea88e052d8054ecdcd9643337bd8f772c610c8d05e64329c1ab3ebcac4afd
openssl-0.9.8e-26.el5_9.5.i686.rpm SHA-256: 67a0553ed691baa4bae2bbf88e6d002596f87b0a5971d556c0fb1f48c1798b2c
openssl-debuginfo-0.9.8e-26.el5_9.5.i386.rpm SHA-256: ae08b1bff3d35d5c05539e61e27850d9f926bfd62855727d200a3d36cfe7b7a9
openssl-debuginfo-0.9.8e-26.el5_9.5.i686.rpm SHA-256: 6d9615aa248649ecde8b877fd108683f99654eed3e7f125d751571c705ea25e5
openssl-devel-0.9.8e-26.el5_9.5.i386.rpm SHA-256: 31ca7dde55851eee292a905c6012f6c40a235004c7bfd8fec5f6ef203e4590d3
openssl-perl-0.9.8e-26.el5_9.5.i386.rpm SHA-256: 3c541e925d2ae05c9efaa169ac6ec19ab27c5f67d01eeb854e29431aba1c6398

Red Hat Enterprise Linux Server - AUS 5.6

SRPM
openssl-0.9.8e-12.el5_6.13.src.rpm SHA-256: 5d59d69bd724decb282b0432963e018b28167fea4e1cd71adb95040508210d36
x86_64
openssl-0.9.8e-12.el5_6.13.i686.rpm SHA-256: a172e31666ac7bf332436cc86cd671cec455dec683382943f4aec8a314549a44
openssl-0.9.8e-12.el5_6.13.x86_64.rpm SHA-256: c0fa6157a3df803a30e73112dba427bc6f9e7a9a08e3b59e10b56cfed553588f
openssl-debuginfo-0.9.8e-12.el5_6.13.i386.rpm SHA-256: ffc2c171f6d599f4fa3aa9cc2f2f966243656ccdde409f2dbd8931f02904ac67
openssl-debuginfo-0.9.8e-12.el5_6.13.i686.rpm SHA-256: 01ed4e786cda53d31eb690e537301312d3a2f67b5ed2f0b192dd96ac8b503fef
openssl-debuginfo-0.9.8e-12.el5_6.13.x86_64.rpm SHA-256: 6adfd852efb3a9ef305585da444db9a6f2480496572c9a17af9c06c0e75edc6a
openssl-devel-0.9.8e-12.el5_6.13.i386.rpm SHA-256: 2f980046da33e9fae87a73cb302c437bf3da3f4b223d5f1fd1eb48891eb08986
openssl-devel-0.9.8e-12.el5_6.13.x86_64.rpm SHA-256: eeb4fbc8453d8beaca2c1200be254f2b2753167a27aff0ae7c571339657dbe55
openssl-perl-0.9.8e-12.el5_6.13.x86_64.rpm SHA-256: bd297d21ca596646a3973044d8f7f01aec262d8d9323fa76f2b3c9bc83ea1627
ia64
openssl-0.9.8e-12.el5_6.13.i686.rpm SHA-256: a172e31666ac7bf332436cc86cd671cec455dec683382943f4aec8a314549a44
openssl-0.9.8e-12.el5_6.13.ia64.rpm SHA-256: 42e5082c050b1c505d6c6140761f086be154de45e7660618e31fb194734ca678
openssl-debuginfo-0.9.8e-12.el5_6.13.i686.rpm SHA-256: 01ed4e786cda53d31eb690e537301312d3a2f67b5ed2f0b192dd96ac8b503fef
openssl-debuginfo-0.9.8e-12.el5_6.13.ia64.rpm SHA-256: 25f38239f9783016d8b678a9526c18a07a9afa6861f2391acd4c64f7177b540f
openssl-devel-0.9.8e-12.el5_6.13.ia64.rpm SHA-256: c6edef4a22a40d714ac0f525c89aaf90f102e132cdce737bf65ba7d2cdf36d30
openssl-perl-0.9.8e-12.el5_6.13.ia64.rpm SHA-256: 70cb44b58fa72793f22d79379c087d1b7c2607aae0812c3d500c3d59e6d736a5
i386
openssl-0.9.8e-12.el5_6.13.i386.rpm SHA-256: e829abb9ff809462f5771878f550079c61e0fcf48aead710e237323bbe686391
openssl-0.9.8e-12.el5_6.13.i686.rpm SHA-256: a172e31666ac7bf332436cc86cd671cec455dec683382943f4aec8a314549a44
openssl-debuginfo-0.9.8e-12.el5_6.13.i386.rpm SHA-256: ffc2c171f6d599f4fa3aa9cc2f2f966243656ccdde409f2dbd8931f02904ac67
openssl-debuginfo-0.9.8e-12.el5_6.13.i686.rpm SHA-256: 01ed4e786cda53d31eb690e537301312d3a2f67b5ed2f0b192dd96ac8b503fef
openssl-devel-0.9.8e-12.el5_6.13.i386.rpm SHA-256: 2f980046da33e9fae87a73cb302c437bf3da3f4b223d5f1fd1eb48891eb08986
openssl-perl-0.9.8e-12.el5_6.13.i386.rpm SHA-256: c39eb0a266fb7bab98c4a703b4b885d14eebbb3623651c19c96f9b32fa445289

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter